[WEB] Console

Got it! Really a great challenge! For anyone stuck:

Small hint for anyone stuck
look at the source code of the console

@stumpswap do you mean the source code on the project or just client side?

I found the App and the extension! But how can I find the secret. I’m not good at client-side programming! Any help or suggest?

Hello, I am stuck in this challenge. Read the source code but cannot replicate the correct header values. I may be lost.

I believe to have the correct header format (since it is the same the plugin generates for the same password) but still I guessed 200K passwords and no luck. Is the response in case of success of a different length than that for the invalid password? Is the password in a reasonable top X list?

I run both the normal authentication and my brute forcing through burp and they have the same cookies (not all headers are the same though)

@goetia said:
Hello, I am stuck in this challenge. Read the source code but cannot replicate the correct header values. I may be lost.

A lot of programs will append a \n when reading an input file. Make sure to stip that out before creating the header.

Also, try making your header in the same programming language as the original program.

Type your comment> @rndmgnrtd said:

@goetia said:
Hello, I am stuck in this challenge. Read the source code but cannot replicate the correct header values. I may be lost.

A lot of programs will append a \n when reading an input file. Make sure to stip that out before creating the header.

Also, try making your header in the same programming language as the original program.

That was exectly my mistake try a trim() :wink:
Don’t bother DM me

By the way, awsome Challange!

Type your comment> @GTh0ng said:

Type your comment> @rndmgnrtd said:

@goetia said:
Hello, I am stuck in this challenge. Read the source code but cannot replicate the correct header values. I may be lost.

A lot of programs will append a \n when reading an input file. Make sure to stip that out before creating the header.

Also, try making your header in the same programming language as the original program.

That was exectly my mistake try a trim() :wink:
Don’t bother DM me

You’ve got to be kidding me, that was it, thanks very much

Finally solved. Thanks to @ama777 for helps.

and nice challenge. Don’t bother DM me.

Anyone who can give me a hand?

Finally, tip, use a good WFuzz filter.

I found the public key and token, am I in the right direction?

It was fun.
tips:

  • read the source code
  • learn auth process
  • write some code
  • get the flag

Feel free and DM me.

Is there some special wordlist I should use? I have read the code and understood how the token is generated. My wfuzzing did not produce any hits.

I am hesitant to use the r****** wordlist as the list generate from that seems to crash wfuzz.

Type your comment> @Log1c888 said:

I found the public key and token, am I in the right direction?

Yes, you are. I am you from the future.

Do I need to install the php console in the google chrome to solve this challenge??

“Make sure to load php-console in order to be prompted for a password”, can somebody explain me what console?

Fun to do some scripting, thanks!

Just solved the challenge if anyone need any help you can DM me.